On Sun, May 26, 2013 at 06:57:44PM -0700, Steven Dake wrote: > On 05/25/2013 01:09 PM, Steven Hardy wrote: > >On Fri, May 24, 2013 at 04:32:15PM +0200, Juerg Haefliger wrote: > >>Hi all, > >> > >>Per Matt's request, I'm starting a new thread about the default user > >>name for Fedora cloud images. Currently it's 'ec2-user' which I don't > >>really like. OK, coming from the OpenStack-side of the cloud I might > >>be a little biased :-) Nevertheless, I think we want to achieve an end > >>goal of a single image that can be used in different cloud > >>environments rather than having different images for the different > >>environments. As such, the user name needs to be cloud/service > >>provider independent. Following the lead of Ubuntu and Debian I > >>propose to use 'fedora' as the default user name for F19 and going > >>forward. > >If we have to have a default user configured in the package, then "fedora", > >or "fedora-user" gets my +1. > > > >I also agree that just using root would be easier & less confusing, since > >the paswordless sudo amounts to that anyway. > Steve, > > Applications run as the user (fedora-user) and would need a more > complicated attack vector to escalate privileges via sudo then a > root run daemon running inside the instance would (No remote > execution of sudo plus other commands would be required). For > example, a network daemon running only as root could be attacked by > reading files via the network via a non-remote-execution attack > (think web app reading and displaying mysql passwords from the > filesystem). This mysql leak could then be used as a different > attack, which would not have been possible if the app was running > without non-privileged capabilities. Sorry, but I really don't understand this argument at all - any sanely packaged software will create a suitably unprivileged user to run their application/daemon, and running them as a user which has passwordless sudo rights seems like a terrible idea. If people really are using the default user in the manner you describe, then I think it is a good argument for not having a default user at all (in the package), e.g make it part of the ec2 AMI for historical reasons, but require other users of cloud-init to make an explicit decision about what users are created and what privileges they have via cloud-config. Allowing SSH to the not-root-but-actually-is-root account negates nearly all of the advantages of disabling root SSH logins, and in particular you lose any audit trail because it's a generic account. IMO in any environment where you actually care about security, you'd want to remove the package-default user and instead provide admin access via real user accounts (e.g configure centralized authentication or use some other method which provides identification of the admin accessing the system) > Further complicating things, many applications will not run when > root capabilities are present in the process (they self-check and > complain don't run as root). So they create a user in the RPM at install time. Cheers, Steve _______________________________________________ cloud mailing list cloud@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/cloud
